The prevalence of maritime cyberattacks doubled in 2025, according to Korean security firm Cytur, led by an explosion of malware and distributed denial of service (DDoS) incidents. Some of the most concerning examples involved a high-level penetration of the shoreside supply chain, giving the attackers useful information about systems (or even remote access) at a fleet level. Others extended to worst-case scenarios: destroyed equipment, hacked ECDIS chart systems, and remote control of ballast valves.

Hackers are getting better at targeting shipping, Cytur's report shows, and they have a reason: money. Access is the same as ever - exploiting unwitting crewmembers via phishing emails; breaching unprotected public wifi used by the crew; or sneaking aboard via a hacked USB drive, whether by bribing a crewmember to use the drive or by accident. But Cyber threat actors are finding more ways to monetize vessel information, whether by encrypting it, holding it hostage and demanding a ransom from the operator, or by stealing it and selling it to third parties on the Dark Web.

Illicit items found for sale online include voyage logs, cargo manifests, ship design schematics and the personal information of the crew, according to Cytur. Often the operator will pay to avoid having their internal records released: one common ransomware attack involves encrypting the ship's Planned Maintenance System (PMS), forcing the operator to pay in order to recover the voyage's logs. Ransomware attacks and data theft are often found in high-traffic regions, like Asian waters and major hub ports, Cytur said.

Another common form of attack is distributed denial of service (DDoS), a brute-force swarm of automated activity that swamps a network and crowds out legitimate traffic. Hackers may hijack vulnerable onboard routers and other IT infrastructure, then use it to send so many requests that it overwhelms the capacity of the ship's satcom connection, temporarily rendering the ship unable to exchange messages with the home office.

More concerning, though, are hacks targeted at disabling or hijacking ship systems. The "Lab Dookhtegan" ("sewn lips") attack on Iranian tonnage last year was a concerning example. The threat group systematically targeted an Iranian satcom provider, Fanava, to carry out an attack high up the digital supply chain for Iran's state-owned fleet of tankers. After penetrating Fanava, Lab Dookhtegan obtained fleetwide control over ship to shore VOIP services, making it harder for the vessels to communicate with the home office or with port officials.

While in possession of access to the ships' networks, the Lab Dookhtegan group stole corporate documents belonging to Iranian state firms NITC and IRISL, then released them online. When done with its access mission, it destroyed the ships' modems by overwriting partitioned memory; physical replacement of the hardware was required.

Another advanced supply chain attack occurred in October, when Japanese radar and ECDIS builder Furuno was hit by ransomware. The hacking threat group, known as Rhysida, stole Furuno's internal data and threatened to release it; meanwhile, it encrypted the firm's data, disabled backup servers and demanded payment. The attack temporarily interfered with service, updates and parts shipments for Furuno.

Most concerning may be hacking attacks on operating technology (OT), like engine control systems and ballast water systems. Cytur warned that the remote access communications protocols baked into equipment electronics - used by OEM troubleshooting teams to remotely diagnose errors and make changes - remain a vulnerability. If a hacker could remotely control engine output, or ballasting, the results could be catastrophic.

Going forward, Cytur anticipates that AI agent-assisted attacks will become more prevalent, and that this year will be the beginning of an era of "autonomous attacks" with largely or fully AI-directed hacking campaigns. This will de-skill cyber crime, opening up the door to a larger number of would-be hackers, the consultancy predicts.

"The incident data from 2024 and 2025 proves that maritime cybersecurity is no longer an ‘option’ but a matter directly linked to a vessel’s ‘right to operate,'" said Cho Yong Hyun, CEO of Cytur.